Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp774472pxp; Fri, 11 Mar 2022 14:47:56 -0800 (PST) X-Google-Smtp-Source: ABdhPJw//oXFwkEVLaq7yHSy4g24HgtYt7yg8chWesOAYwfJqTesAVCPCK6I8euz96AHSzDpuHl/ X-Received: by 2002:a17:902:e949:b0:14b:1f32:e926 with SMTP id b9-20020a170902e94900b0014b1f32e926mr12794998pll.170.1647038876405; Fri, 11 Mar 2022 14:47:56 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647038876; cv=none; d=google.com; s=arc-20160816; b=OCtVv30a8XfUmr53nYHobAjCVP2y4+vELZvjwayLOTdU4KqGkc4kGbS9OwhRlZczbm 1gjmHuiiW/CbRrkZGMpsz+I2G9IXvwaRTZL/YBx3cL5mg+wjAQDW1qPJaFVqtyzkXlst DiO5XKGL/aRT0bD41dXy8BHqvrFHI10rVyZaplFBfDg0Q+Jk8voOU3vbAS/IQdIvkRX2 XE/kBzkYRe9wYKuaRZQZB/fNmTP95YrkqYUaokyLPMs+DoCAlSdl3WfKdo2CiZZ7OMZJ MAiXBFqvfUnlP2WYK1bWrIqJcjh1C1JQKxihTc7YdchqpDyrJeTst7wv87994pet/ucw ygCA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=kCUiNJugmF8771LFMFVdUrOjfyEcwXhcSZbe6F+hxys=; b=dzIdI4VD80mpvq9yQDcMWOOA3SGb4KHhNxGx0aJCz3r4CeQGMtujlGTgRBKtKpw0ag 1aDqMsfPkHNKQJPMYvr6Gcs5xuS0R6YNEP80EAUtQOcMbFQivMtB5HxWzNBDO5p2YMPJ XdNoQqhy6u2ufGHqSGRss9z33XhOwqSOLLp0eYmmV+NjriWi5cf+gperl5vbInQ3QRBG sR+m9zF40m5d1nWQ4cx2kK+AA1dqvGY1r9z4CspUkukebaJ61X+Kr4IDEm9R3hoChVa1 1WOxW0tqScsDpKLy6C1ZZC4aW0EMvQPhq4GAKOSiuTgVdh0ULoI5LENIOVbZeaWrjBJ+ cEQA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id b9-20020a17090a990900b001bd14e01f7esi9303190pjp.108.2022.03.11.14.47.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 14:47:56 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id B47E7347FAD; Fri, 11 Mar 2022 13:47:10 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237237AbiCJPaH (ORCPT + 99 others); Thu, 10 Mar 2022 10:30:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37356 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232025AbiCJPaF (ORCPT ); Thu, 10 Mar 2022 10:30:05 -0500 Received: from netrider.rowland.org (netrider.rowland.org [192.131.102.5]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 5B4B0158DA9 for ; Thu, 10 Mar 2022 07:29:03 -0800 (PST) Received: (qmail 1545480 invoked by uid 1000); 10 Mar 2022 10:29:02 -0500 Date: Thu, 10 Mar 2022 10:29:02 -0500 From: Alan Stern To: Oliver Neukum Cc: syzbot , gregkh@linuxfoundation.org, linux-kernel@vger.kernel.org, linux-usb@vger.kernel.org, pavel.hofman@ivitera.com, rob@robgreener.com, syzkaller-bugs@googlegroups.com Subject: Re: [syzbot] memory leak in usb_get_configuration Message-ID: References: <000000000000351b8605d9d1d1bf@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Mar 10, 2022 at 10:51:42AM +0100, Oliver Neukum wrote: > > On 10.03.22 00:54, syzbot wrote: > > > Hello, > > > > syzbot found the following issue on: > > > > HEAD commit: 0014404f9c18 Merge branch 'akpm' (patches from Andrew) > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=15864216700000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=3f0a704147ec8e32 > > dashboard link: https://syzkaller.appspot.com/bug?extid=f0fae482604e6d9a87c9 > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=13a63dbe700000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10e150a1700000 > > > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > > Reported-by: syzbot+f0fae482604e6d9a87c9@syzkaller.appspotmail.com > > > #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git 0014404f9c18 > > ? > From 785609ab0d95c753dc31267b3c4da585c16e0274 Mon Sep 17 00:00:00 2001 > From: Oliver Neukum > Date: Thu, 10 Mar 2022 10:40:36 +0100 > Subject: [PATCH] USB: hub: fix memory leak on failure of usb_get_config > > kfree()s on the error path need to be added. No, they don't. The config and rawdescriptors buffers get freed later on in usb_destroy_configuration(). This problem is something else. Probably whatever driver is calling gspca_probe() (see the console log) is taking a reference to the usb_device or usb_interface and then failing to release that reference on its error path. Alan Stern > Signed-off-by: Oliver Neukum > --- > drivers/usb/core/config.c | 17 +++++++++++++---- > 1 file changed, 13 insertions(+), 4 deletions(-) > > diff --git a/drivers/usb/core/config.c b/drivers/usb/core/config.c > index 48bc8a4814ac..548ce5ca6847 100644 > --- a/drivers/usb/core/config.c > +++ b/drivers/usb/core/config.c > @@ -885,12 +885,16 @@ int usb_get_configuration(struct usb_device *dev) > > length = ncfg * sizeof(char *); > dev->rawdescriptors = kzalloc(length, GFP_KERNEL); > - if (!dev->rawdescriptors) > - return -ENOMEM; > + if (!dev->rawdescriptors) { > + result = -ENOMEM; > + goto err2; > + } > > desc = kmalloc(USB_DT_CONFIG_SIZE, GFP_KERNEL); > - if (!desc) > - return -ENOMEM; > + if (!desc) { > + result = -ENOMEM; > + goto err2; > + } > > for (cfgno = 0; cfgno < ncfg; cfgno++) { > /* We grab just the first descriptor so we know how long > @@ -952,6 +956,11 @@ int usb_get_configuration(struct usb_device *dev) > err: > kfree(desc); > dev->descriptor.bNumConfigurations = cfgno; > +err2: > + kfree(dev->rawdescriptors); > + kfree(dev->config); > + dev->rawdescriptors = NULL; > + dev->config = NULL; > > return result; > } > -- > 2.34.1 >